Author Topic: False positive?  (Read 404 times)

Offline zenzor

  • Jr. Member
  • **
  • Posts: 66
    • Personal Message (Offline)
False positive?
« on: December 15, 2013, 09:25:33 AM »
Avast is reporting this site as having a trojan:

hxxp://poserworld.com/

Seems to be this link:

<script type="text/javascript" language="javascript" src="xxxx://www.anrdoezrs.net/l177cA6wy-296z-CLTPSNVNO?target=_top&mouseover=Y"></script>

I've tested it at virustotal.com however and it reports it as clean (a few scanners reports "unrated").
« Last Edit: December 15, 2013, 10:03:22 AM by zenzor »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21799
  • Gender: Male
    • Personal Message (Offline)
Re: False positive?
« Reply #1 on: December 15, 2013, 09:35:45 AM »
Quote
I've tested it at virustotal.com however and it reports it as clean (a few scanners reports "unrated").
virustotal does not scan the website for infections.....it is just a reputation list check


nothing here  http://urlquery.net/report.php?id=8395042

and nothing here   http://sitecheck.sucuri.net/results/poserworld.com/



« Last Edit: December 15, 2013, 09:41:50 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline zenzor

  • Jr. Member
  • **
  • Posts: 66
    • Personal Message (Offline)
Re: False positive?
« Reply #2 on: December 15, 2013, 09:56:28 AM »

Offline Eddy

  • avast! Evangelist
  • Serious Graphoman
  • ***
  • Posts: 9935
  • Gender: Male
  • Watching (over?) you
    • Malware removal, Biljart and other things.
    • Personal Message (Offline)
Re: False positive?
« Reply #3 on: December 15, 2013, 09:58:18 AM »
Eh, yes. There is something on urlquery.
Malicious site hosted on the same IP address.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21799
  • Gender: Male
    • Personal Message (Offline)
Re: False positive?
« Reply #4 on: December 15, 2013, 10:01:01 AM »
Eh, yes. There is something on urlquery.
Malicious site hosted on the same IP address.
what site do you see?

i see the same URL ... and no detection reported
Quote
2013-12-15 11:40:15   0 / 0   hxxp://poserworld.com   74.43.133.91

and that i Guess would only be a issue if it was a URL/IP Block ...... and not when infection is detected on a specific website



« Last Edit: December 15, 2013, 10:04:22 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21799
  • Gender: Male
    • Personal Message (Offline)
Re: False positive?
« Reply #5 on: December 15, 2013, 10:06:25 AM »
You can upload files and report issues to avast lab  here : http://www.avast.com/contact-form.php  (select subject according to Your case)

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline zenzor

  • Jr. Member
  • **
  • Posts: 66
    • Personal Message (Offline)
Re: False positive?
« Reply #6 on: December 15, 2013, 10:20:32 AM »
You can upload files and report issues to avast lab  here : http://www.avast.com/contact-form.php  (select subject according to Your case)

OK, done. Thanks!

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20172
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: False positive? or foo=<script> html injection attack?
« Reply #7 on: December 15, 2013, 01:19:43 PM »
I also get a suspicious on a iFrame check:
Suspicious    htxp://poserworld.com/newsletter.htm' - when I checked that avast! Web Shield blocked and alerted JS:Agent-CQF[Trj] (hidden input)
Also consider the results of this scan: https://asafaweb.com/Scan?Url=poserworld.com
Requested URL: htxp://poserworld.com/Home.aspx?foo=<script> | Response URL: htxp://poserworld.com/Home.aspx?foo=<script> * | Page title: Poser 3D | Poser Models | Poser Clothes | Poser Downloads | Poser Scenes | DAZ Studio Models | Poser 5, 6, 7, 8 , 9, 2010, 2014 | HTTP status code: 200 (OK) | Response size: 71,687 bytes (gzip'd) | Duration: 465 ms
Overview
In a web forms site, request validation ensures all requests to the website do not contain a potentially malicious payload. This protects against the likelihood of cross site scripting (XSS) vulnerabilities being exploited on the site.

Result
It looks like request validation has been turned off. Making a request to the site with the malicious URL above is returning the same response body as a legitimate request so the app appears to be accepting the XSS payload in the query string. Request validation is easy to enable, just configure the web.config to ensure "validateRequest" is set to "true" (this is also the default if no setting exists):

<pages validateRequest="true" />

Also make sure the individual Page declarations have ValidateRequest set to "true" (this is also the default if no setting exists):

<%@ Page ValidateRequest="true" %>

Warning: There are legitimate use cases for turning request validation off in some places so be certain you're not going to break anything before disabling it.
 foo=<script> html injection attack  read: http://deadliestwebattacks.com/html-injection-quick-reference/

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20172
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: False positive?
« Reply #8 on: December 15, 2013, 01:30:34 PM »
This is the HTML Injection technique performed:
State and Injection example:
State = ]]><FOO>
Injection example = <![CDATA[]]><script>☣</script>]]>

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now